Palo Alto Networks Warns of Exploitable Firewall Hijack Vulnerabilities

Palo Alto Networks has issued an urgent advisory for its customers following the discovery of multiple critical vulnerabilities in its Expedition tool, which assists with firewall configuration migration.

The vulnerabilities are as follows:

CVE-2024-9463 has a score of 9.9. It’s an OS command injection vulnerability in Palo Alto Networks Expedition which allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CVE-2024-9464, with 9.3 is a OS command injection vulnerability that allows a bad actor to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CVE-2024-9465 has a 9.2 severity. this is a SQL injection vulnerability that enables a malefactor to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

CVE-2024-9466 (8.2),  cleartext storage of sensitive information vulnerability allows a malicious actor to reveal firewall usernames, passwords, and API keys generated using those credentials.

CVE-2024-9467, with 7.0, is a reflected XSS vulnerability that enables execution of malicious JavaScript in the context of an authenticated Expedition user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft.

Horizon3.ai’s root cause analysis highlighted that the flaws enable attackers to escalate from these vulnerabilities to a full system compromise.

Immediate Patching Advised

Palo Alto Networks strongly recommends that all customers upgrade Expedition to version 1.2.96 or later, where patches for these vulnerabilities have been implemented. The upgrade process will also automatically address the cleartext storage issue (CVE-2024-9466) by removing affected files. Furthermore, the advisory recommends rotating all Expedition and PAN-OS firewall credentials after applying the update as a precaution.

For those who cannot immediately update, Palo Alto Networks advises restricting Expedition access to authorized users and limiting network exposure. While there is currently no evidence of active exploitation of these vulnerabilities, the availability of public exploit code underscores the urgency for organizations to secure their systems promptly.

Not the First Critical Vulnerability

This isn’t the first critical vulnerability Palo Alto has had to disclose this year. In April, the company detailed an actively exploited vulnerability in PAN-OS, tracked as CVE-2024-3400, with a CVSS score of 10.0.

The vulnerability stemmed from two combined bugs in PAN-OS. The first issue involved the GlobalProtect service, which failed to adequately validate session ID formats before storing them, allowing malefactors to save an empty file with a chosen filename. The second bug, which assumes these files are system-generated, uses the filenames in commands. While each bug alone isn’t highly damaging, together they enable unauthenticated remote shell command execution.

“A highly sophisticated threat actor discovered that by uniquely combining the two bugs, they could perform a two-stage attack to achieve command execution on the vulnerable device, the company said at the time.

The threat actor UTA0218 has leveraged these bugs in “Operation MidnightEclipse,” using crafted requests and a backdoor called UPSTYLE to execute commands and deploy reverse proxy tools like GOST.

For detailed technical information and remediation steps, Palo Alto Networks has provided an advisory on its security site, and additional analysis is available from Horizon3.ai, who conducted the initial investigation.

For more details on this advisory, visit the Palo Alto Networks advisory and Horizon3.ai’s root cause analysis.